Hi!
Im trying to make a profile for firefox-esr.
I used aa-genprof to create it and then aa-logprof to update it.
I also use apparmor-notify to get error messages.
The problem is that I get constant apparmor messages like the
following:
Apparmor Message
Profile /usr/lib/firefox-esr/firefox-esr
Operation: file_lock
Name: /home/gpred/.mozilla/firefox/8i0h8b60.default-esr/-
webappsstore.sqlite
Denied: wk
Logfile: /var/log/kern.log
I run aa-logprof but it doesnt seem to detect the denied command. It
doesnt show me the option to allow it,deny it, etc. I also tried to
clear the kern.log and syslog files but after a while I have the same
problem.
Any ideas?
My firefox profile
# Last Modified: Sat Apr 9 12:18:47 2022
#include <tunables/global>
/usr/lib/firefox-esr/firefox-esr flags=(complain) {
#include <abstractions/X>
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/evince>
#include <abstractions/nameservice>
#include <abstractions/nvidia>
#include <abstractions/openssl>
#include <abstractions/postfix-common>
#include <abstractions/python>
#include <abstractions/totem>
#include <abstractions/ubuntu-browsers.d/ubuntu-integration>
#include <abstractions/ubuntu-konsole>
deny /home/*/AppData/** rw,
capability sys_admin,
signal send set=kill peer=/usr/lib/firefox-esr/firefox-esr//null-
/usr/lib/firefox-esr/firefox-esr,
signal send set=term peer=/usr/lib/firefox-esr/firefox-esr//null-
/usr/lib/firefox-esr/firefox-esr,
signal send set=term peer=/usr/lib/firefox-esr/firefox-esr//null-
/usr/lib/firefox-esr/plugin-container,
/etc/firefox-esr/firefox-esr.js r,
/etc/mailcap r,
/etc/mime.types r,
/proc/devices r,
/proc/driver/nvidia/params r,
/proc/filesystems r,
/proc/modules r,
/sys/devices/pci0000:00/0000:00:00.0/class r,
/sys/devices/pci0000:00/0000:00:00.0/device r,
/sys/devices/pci0000:00/0000:00:00.0/vendor r,
/sys/devices/pci0000:00/0000:00:01.0/0000:02:00.0/class r,
/sys/devices/pci0000:00/0000:00:01.0/0000:02:00.0/device r,
/sys/devices/pci0000:00/0000:00:01.0/0000:02:00.0/subsystem_device r,
/sys/devices/pci0000:00/0000:00:01.0/0000:02:00.0/subsystem_vendor r,
/sys/devices/pci0000:00/0000:00:01.0/0000:02:00.0/vendor r,
/sys/devices/pci0000:00/0000:00:01.0/0000:02:00.1/class r,
/sys/devices/pci0000:00/0000:00:01.0/0000:02:00.1/device r,
/sys/devices/pci0000:00/0000:00:01.0/0000:02:00.1/vendor r,
/sys/devices/pci0000:00/0000:00:01.0/class r,
/sys/devices/pci0000:00/0000:00:01.0/device r,
/sys/devices/pci0000:00/0000:00:01.0/vendor r,
/sys/devices/pci0000:00/0000:00:02.0/class r,
/sys/devices/pci0000:00/0000:00:02.0/device r,
/sys/devices/pci0000:00/0000:00:02.0/vendor r,
/sys/devices/pci0000:00/0000:00:04.0/class r,
/sys/devices/pci0000:00/0000:00:04.0/device r,
/sys/devices/pci0000:00/0000:00:04.0/vendor r,
/sys/devices/pci0000:00/0000:00:08.0/class r,
/sys/devices/pci0000:00/0000:00:08.0/device r,
/sys/devices/pci0000:00/0000:00:08.0/vendor r,
/sys/devices/pci0000:00/0000:00:12.0/class r,
/sys/devices/pci0000:00/0000:00:12.0/device r,
/sys/devices/pci0000:00/0000:00:12.0/vendor r,
/sys/devices/pci0000:00/0000:00:14.0/class r,
/sys/devices/pci0000:00/0000:00:14.0/device r,
/sys/devices/pci0000:00/0000:00:14.0/vendor r,
/sys/devices/pci0000:00/0000:00:14.2/class r,
/sys/devices/pci0000:00/0000:00:14.2/device r,
/sys/devices/pci0000:00/0000:00:14.2/vendor r,
/sys/devices/pci0000:00/0000:00:15.0/class r,
/sys/devices/pci0000:00/0000:00:15.0/device r,
/sys/devices/pci0000:00/0000:00:15.0/vendor r,
/sys/devices/pci0000:00/0000:00:16.0/class r,
/sys/devices/pci0000:00/0000:00:16.0/device r,
/sys/devices/pci0000:00/0000:00:16.0/vendor r,
/sys/devices/pci0000:00/0000:00:17.0/class r,
/sys/devices/pci0000:00/0000:00:17.0/device r,
/sys/devices/pci0000:00/0000:00:17.0/vendor r,
/sys/devices/pci0000:00/0000:00:1b.0/0000:03:00.0/class r,
/sys/devices/pci0000:00/0000:00:1b.0/0000:03:00.0/device r,
/sys/devices/pci0000:00/0000:00:1b.0/0000:03:00.0/vendor r,
/sys/devices/pci0000:00/0000:00:1b.0/class r,
/sys/devices/pci0000:00/0000:00:1b.0/device r,
/sys/devices/pci0000:00/0000:00:1b.0/vendor r,
/sys/devices/pci0000:00/0000:00:1c.0/0000:04:00.0/class r,
/sys/devices/pci0000:00/0000:00:1c.0/0000:04:00.0/device r,
/sys/devices/pci0000:00/0000:00:1c.0/0000:04:00.0/vendor r,
/sys/devices/pci0000:00/0000:00:1c.0/class r,
/sys/devices/pci0000:00/0000:00:1c.0/device r,
/sys/devices/pci0000:00/0000:00:1c.0/vendor r,
/sys/devices/pci0000:00/0000:00:1f.0/class r,
/sys/devices/pci0000:00/0000:00:1f.0/device r,
/sys/devices/pci0000:00/0000:00:1f.0/vendor r,
/sys/devices/pci0000:00/0000:00:1f.3/class r,
/sys/devices/pci0000:00/0000:00:1f.3/device r,
/sys/devices/pci0000:00/0000:00:1f.3/vendor r,
/sys/devices/pci0000:00/0000:00:1f.4/class r,
/sys/devices/pci0000:00/0000:00:1f.4/device r,
/sys/devices/pci0000:00/0000:00:1f.4/vendor r,
/sys/devices/pci0000:00/0000:00:1f.5/class r,
/sys/devices/pci0000:00/0000:00:1f.5/device r,
/sys/devices/pci0000:00/0000:00:1f.5/vendor r,
/sys/devices/system/cpu/cpu0/cache/index2/size r,
/sys/devices/system/cpu/cpu0/cache/index3/size r,
/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq r,
/sys/devices/system/cpu/present r,
/sys/devices/system/memory/block_size_bytes r,
/usr/bin/chrome-gnome-shell mrix,
/usr/bin/lsb_release mrix,
/usr/bin/python3.9 ix,
/usr/bin/python3.9 r,
/usr/lib/firefox-esr/firefox-esr mrix,
/usr/lib/firefox-esr/plugin-container mrix,
/var/lib/flatpak/exports/share/applications/mimeinfo.cache r,
/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache r,
/var/lib/flatpak/exports/share/icons/hicolor/index.theme r,
owner /home/*/.cache/fontconfig/* r,
owner /home/*/.cache/mozilla/firefox/8i0h8b60.default-esr/** rw,
owner /home/*/.cache/mozilla/firefox/8i0h8b60.default-esr/.startup-
incomplete w,
owner
/home/*/.cache/nvidia/GLCache/4e72b67faf2c55a81064f0f669542d15/af453b2f
87001cad/f35e6a48c63c96b3.bin rwk,
owner
/home/*/.cache/nvidia/GLCache/4e72b67faf2c55a81064f0f669542d15/af453b2f
87001cad/f35e6a48c63c96b3.toc rwk,
owner /home/*/.config/dconf/user r,
owner /home/*/.config/mimeapps.list r,
owner /home/*/.config/pulse/cookie rk,
owner /home/*/.local/share/applications/mimeinfo.cache r,
owner /home/*/.mozilla/firefox/** rwk,
owner /proc/*/cgroup r,
owner /proc/*/comm r,
owner /proc/*/gid_map w,
owner /proc/*/maps r,
owner /proc/*/mountinfo r,
owner /proc/*/mounts r,
owner /proc/*/setgroups w,
owner /proc/*/smaps r,
owner /proc/*/stat r,
owner /proc/*/statm r,
owner /proc/*/status r,
owner /proc/*/task/*/comm rw,
owner /proc/*/task/*/stat r,
owner /proc/*/uid_map w,
owner /run/user/1000/ICEauthority r,
owner /usr/lib/firefox-esr/fonts/** rw,
owner /home/*/Downloads/** rw,
owner /home/*/** r,
}
